And it’s only going to get harder.  As criminals more eloquently tamper with ACH files, batches and transactions, they will more readily bypass caps, limits, and calendar validations. Realistically it is becoming more and more untenable for operational staff to hunt and peck for fraud in the manner in which they are today.  The fraudulent needles are getting smaller as the haystack of payments is growing larger.

In an infographic that we just released, we call out the four levels of fraud infiltration.  You’ll see as you study the diagram, that criminals are moving further and further into the files, making it harder for traditional “hunting and pecking” approaches to finding fraud an unsustainable model.

Here’s a sneak peak at the four levels.

• LEVEL ONE – Fraudster submits a new ACH Batch file, all of which is fraudulent. Fraudulent files may or may not violate caps or calendar rules.
• LEVEL TWO – Fraudster breaks into an existing batch file and adds a new payments which will change the number of transactions in the file and the total amount of all transactions in the file. Files may still be below established caps/limits.
• LEVEL THREE – Fraudster breaks into an existing batch file and adds some new credit transactions (steals some money), but simultaneously adds some new debit transactions that leave the total dollar movement for the file as a whole unchanged.
• LEVEL FOUR – Fraudster breaks into an existing batch file and edits specific parts of existing transactions (e.g. The payee account number), which leaves the number of transactions and the total dollar movement for the file as a whole unchanged.

Guardian Analytics was founded to turn online banking fraud prevention upside. Using behavioral analytics, our solution has turned two hundred financial institutions into highly proactive organizations that have high-risk activity detected FOR them before money leaves the bank.  With FraudMAP ACH, we are again fundamentally changing how FI’s manage their risk, this time by applying our proven anomaly detection capabilities to ACH transactions.  Regardless of how deep the criminals go, or how stealthy they are, FraudMAP ACH will surface any unusual activity and prioritize it for review. No more hunting and pecking.  The needles stand out bright red no matter how big you

Where this all began – a  fraud attack

In a series of 6 fraudulent ACH transfers in 2009, fraudsters were able to drain $580,000 out of PATCO’s commercial account with the former Ocean Bank (now People’s United Bank). The bank was able to recover $243,000, leaving approximately $340,000 in losses.

The Initial Ruling

In 2010 PATCO file suit against Ocean Bank to recover its losses.  In the original ruling in August 2011, the District Court ruled in favor of Ocean Bank based stating that the bank did, in its opinion, have “commercially reasonable” security in place.  This opinion stemmed primarily from the fact that PATCO had signed a contract with the bank agreeing to the security procedures at the bank and also that the bank had common security solution in place.

With that said, the ruling did go out of its way to note that the bank probably should have detected the unusual activity since it was so unusual for PATCO’s typical behavior.

The Reversal on Appeal

Interestingly, the appellate court took a much broader view of what a “commercially reasonable” security solution offered and paid greater attention to the bank’s actions in utilizing the technology solutions that they had in place, not just the technology itself.

Here are some noteable examples from the latest ruling:

• The bank used what the court calls a “one-size-fits-all” approach to monitoring and authenticating transactions. All ACH and wire transactions over $1 triggered a challenge question. The original intent was to increase security, but the actual impact was an increase in the chance that the response would be compromised, ultimately weakening this defense.
• The bank had the ability to monitor high-risk transactions through its transaction-profiling and risk-scoring system, but chose not to do so. As one example, Ocean Bank’s scoring system gave the first fraudulent transaction a risk score of 790; PATCO’s usual risk scores ranged between 10 and 214.
• The fraudulent ACH transfers out of PATCO’s account went to numerous individuals PATCO had never paid before. The perpetrators also logged in from devices and IP addresses never used by PATCO.

“The payment orders at issue were entirely uncharacteristic of PATCO’s ordinary transactions,” the ruling states. “These collective failures, taken as a whole, rendered Ocean Bank’s security procedures commercially unreasonable.”

I’m not trying to paint Ocean Bank as a ‘bad guy’ but more express a challenge the whole industry is facing. With criminal attacks growing more stealthy and more speedy every day and without the right tools to pinpoint the bad actors, it difficult for any bank to stay on top of the ever-growing online and mobile activity.

Lessons Learned

With that said, here are a few some takeaways from this whole situation.

• Having a lot of technology is not enough. The courts are setting the stage that they will look for how the use of technology impacts the overall security.

• The courts are shifting expectations of banks. Taken in conjunction with two other high-visibility lawsuits – EMI v. Comerica and Village View Escrow v. Professional Business Bank – the courts are expanding what is expected of financial institutions, or at least setting precedents that define terms such as “reasonable security” or “good faith”.  In both cases with judgements, the courts mention that the banks should have been able to detect the fraudulent activity because it was so unusual relative to typical customer behavior.

• “One size fits all” doesn’t work. Security solutions and policies must be dynamic and tuned to each customer, situation, transaction, or online banking session. In other words, financial institutions need better tools to avoid having to consider such a “one size fits all” approach. On this point Gartner’s Avivah Litan commented, “Small banks just don’t have any resources to monitor 15-20 percent of the log-ins every day; they need better tools.”

• Monitor. Monitor. Monitor. The fraudsters are clever and sophisticated, and unfortunately, financial institutions cannot let up for a minute. In the PATCO case, the fraudsters got through user ID & password, cookie-based device authentication, IP address profiling, challenge questions, and risk scoring, which taken together satisfied the “commercially reasonable” litmus test. And while fraudsters have repeatedly demonstrated the ability to surmount these defenses, they stand a better chance of detecting fraud only when the financial institution is actively monitoring activities and alerts.

• Total losses are much higher than the fraudulent transfer. While the ruling did not award specific damages, instead simply encouraging the two parties to settle out of court, the legal costs, productivity losses, and negative PR dwarf the nominal fraud loss.

What’s a Financial Institution to Do?

I doubt anyone would debate that fraud prevention is a responsibility shared between the financial institution and their commercial clients. And when things go bad, it’s clearly a point of contention – often a severely divisive one – as to how this responsibility is shared. I encourage bankers to thoroughly consider how they can use the lessons learned from this case to do their part, and maybe even more than their part.

In today’s competitive, tight-margin banking environment, this ruling suggests to me an opportunity to use security as a differentiator to win new accounts and expand services (i.e. increase revenue). This is the ideal time to first put in place truly effective fraud prevention solutions across online, mobile and ACH channels, and then feature your commitment to preventing fraud in your communications to customers and prospects.  And, there are modern tools available that deliver efficient and effective fraud prevention.

Your business clients are not experts in security, which is why they are under attack from criminals. And again, security today is a shared responsibility, but the reality is that they are dependent upon you, their banking institution, and they (quite reasonably) expect you to be an expert (keep an eye out for more stats on this from our upcoming business banking trust study).

So, I encourage you to be the expert. Put in place outstanding layered security with the people and policies to ensure it works as designed. And then use that investment to gain new business and improve customer trust, loyalty, and longevity.

Criminals in the Cloud – Disguise and Adaptability
In “server-side attacks”  the fraudsters use automated logic on a server in the cloud to identify targets and subsequently compromise the account, find mules, initiate transactions and mask account balances. This is a new server in the criminals’ arsenal, purpose-built and solely dedicated to processing fraudulent transactions (unlike typical  multi-purpose botnet servers used for spam, DDOS, credential harvesting). This means fewer signals for researchers or detection tools to find.

With server-based attacks, criminals are highly adaptable. They can readily modify their attack code to adapt to any workflow or security changes at a financial institution and dynamically adjust communications to clients as servers are moved around, without having to update code on every infected client.

Targeting the Elite Across the Globe
This fraud campaign started with automated attacks against wealthy consumers in Italy (balances of €200,000-€500,000) and then evolved to use server-side automated attacks against businesses in the Netherlands, Germany, and Columbia and the US. The most recent attacks started in March with an new evolution – criminals employed hybrid automated/manual scheme targeting high-balance U.S. businesses (assets in the tens of millions of dollars).  Overall,  the limited, targeted approach creates a highly favorable risk-reward scenario for the criminals- big payoffs with reduced chances of detection.

A few key takeaways for the industry:

• Criminals are not sitting still: they are continually innovating their attacks to increase their paydays and reduce detection.
• Every financial institution should be prepared for this and other attacks: The attacks hit financial institutions of all sizes including community banks and credit unions in the United States that use common online banking platforms
• The industry needs collaboration on threat research: By working together, as McAfee and Guardian Analytics did on this project, we can improve the industry’s ability to understand quickly detect new schemes and alert the rest of the industry and law enforcement
• Criminals still look like criminals, not like real users: Despite the sophistication of these attacks, behavior-based anomaly detection solutions like FraudMAP will still detect the subtle differences in behavior that can tip off FIs that a specific banking session may a fraud attack, not the legitimate account holder

Read the full report: Dissecting Operation High Roller

Lately our fraud researchers have noticed a disturbing trend toward “inside jobs” – schemes that rely on money mules recruited from within the legit business’ own employee ranks.  Enlisting them is difficult, so mule handlers offer higher commissions to their traitorous partners. The more common commercial account fraud method is the use of professional mules who set up fictitious companies specifically to receive stolen payouts.

Corporate account credentials command a higher price on the criminal black market. Why? Business-to-business accounts typically transfer higher dollar amounts, more frequently, than retail accounts.  International transfers are easier. Repetitive transactions in a short period of time are easier. These realities all provide more incentive for business mules to complete fraudulent transfers… again and again. Repeat use of business mules is becoming disturbingly common.

These witting mules are hard to detect. The fraudster is relying on a business mule’s seemingly legitimate actions to bypass any security controls. Anti-fraud technology often focuses on business-to-consumer fraud, so B2B transactions receive less scrutiny. The best method of detecting and preventing a mule from emptying your corporate account is to detect account takeover attempts early, before the money is gone. Early fraud setup activity – such as creating a new (fraudulent) payee – can be detected using anomaly detection technology that monitors account activity from login to logout.

My colleague Craig Priess explains business mule scenarios in this video explaining their tactics. Check back with this blog for the latest cybercrime tools and techniques from our fraud and threat research teams.

Recent industry coverage has only reinforced the continued increase in the overall volume of fraud attacks. In addition, fraudsters are becoming annoyingly adept at covering their tracks with smokescreen methods such as distributed denial-of-service (DDoS) attacks.

What we’re reminded of repeadedly is that financial institutions must be prepared to defend against a wide range of sophisticated attacks plus new schemes that emerge regularly. Here are a few articles that may be of interest as you develop risk mitigation strategies this year:

New Strains of Malware Emerge…

New Mac Malware Exploits Java Bugs to Steal Credentials
Flashback.G is the first Trojan variant of a well-known family of Mac malware to use an attack vector that doesn’t require any user interaction. This new version exploits Java vulnerabilities in Mac’s legacy operating system to keylog usernames and passwords for online payment, banking, and credit card websites.

Citadel Banking Malware Is Evolving and Spreading Rapidly
Malware development has gone open source. Citadel, a new ZeuS variant, is evolving and spreading rapidly because its creators adopted a community-based development model. Each version of Citiadel adds new modules and features, some submitted by “customers” themselves.

Banking Malware Finds New Weakness
A new ZeuS variant called Ice IX (“ice-9”) automates the process of stealing and changing account holder phone numbers to defeat two-factor authentication. Fraudsters are using it to intercept verification phone calls and pose as the customer to approve their own fraudulent transactions.

….While New Attacks Demonstrate Fraudsters’ Perseverence…

Banking Trojan Hijacks Live Chat to Run Real-time Fraud
A new attack on the Shylock malware platform is hijacking live chat sessions to get business banking customers to hand over their credentials or authorize fraudulent transactions. This Man-In-the-Browser assault interrupts an online session to chat up the victim about a “system check” while the cybercrook simultaneously completes the theft in real-time.

New Cyber Scam Is More Polished than Most
More professional and elaborate than most social engineering scams, a realistic-looking shopping scam email disguises its executable payload as a harmless PDF where “your recent order can be viewed.” It’s really a nasty Trojan with bot and keylogging capabilities that steals banking credentials.

New Malware Attacks Target Online Banking
A new Man-In-the-Browser attack tricks users who log into a bank’s real site with an offer of training in a new “upgraded security system.” After stealing account holder funds it changes on-screen balances to hide its activities, rendering evidence of the theft invisible.

…And the Volume of Attacks Continues to Increase.

780 New Malicious Internet Banking Programs Every Day
Kaspersky Labs reported on the recent explosion of banking malware: 1.1 percent of all malicious programs detected – or 780 new programs EACH day – target financial data. A malicious program of this kind is detected on an average of 2,000 unique users’ computers every day.

Mobile Malware Doubled in 2011  
The 2011 Mobile Threats Report from Juniper Networks found that the amount of malware created for mobile devices across all operating systems more than doubled in 2011. 63 percent of the malware found could collect financial information.

We recently released an Anomaly Detection Toolkit to help educate financial institutions on the topic. Here is our infographic on what anomaly detection is, how it works to detect fraud attacks, and how financial institutions can respond to any anomalous, or suspicious, online banking activity. 

We here at Guardian Analytics know a little something about anomaly detection. We’ve pioneered use of this technology to detect online banking fraud, and currently deliver this powerful capability to about 150 banks and credit unions – day in and day out.

If you want to hear this graphic come to life, here’s a video with voiceover that explains the whole process.

(click to enlarge the infographic in a new window)

Fraudsters are getting creative and employing a new, retail-based approach. Why? To decrease the risk of their mules getting caught. They are using high-end jewelry stores to essentially launder their loot.

Here’s how it works:

1. The fraud victim – typically a business banking customer – gets a phishing email that appears to originate from reputable organizations like the National Automated Clearing House Association (NACHA), the Federal Reserve Bank, or the Federal Deposit Insurance Corporation (FDIC). When this attack was first launched, all emails appeared to originate from NACHA. The email may claim that there is problem with a recent transaction that requires the user’s attention.
2. When the link in the email is clicked, the victim is sent to a bogus website and inadvertently downloads a new variant of the notorious ZeuS malware called “Gameover”.
3. Once infecting the victim’s PC, “Gameover” keylogs all online banking activity and sends stolen account credentials to the criminal.
4. In a new wrinkle, the criminal employs a DDoS attack to cover their tracks. When the attack begins, the victim’s business may be hit with DDoS to prevent Internet access so they don’t notice the attack and can’t reverse the transaction.
5. In a more sophisticated version of the scheme, the financial institution is included in the DDoS attack, further decreasing the likelihood of the fraudulent transfers being noticed.
6. The criminal wires money to a high-end jewelry store and then places an order for precious stones or expensive watches.
7. A mule physically visits the store to pick up the order.  The jeweler checks their account, sees that the funds are there, and delivers the merchandise to the mule.
8. The mule may then turn the jewelry over to the fraudster or sell it for cash.
9. When the fraud is discovered, it can be the account holder or the jewelry store itself that’s hit with the loss.

It’s definitely “game over” for the victims of this fraud scheme.

This use of the Gameover Trojan was recently written up by the FBI and my colleague Craig Priess explains it nicely in a video explaining this attack. Our fraud and threat research teams stay up to date on the latest cybercrime tools and techniques and I hope you will use this blog as a resource for combating fraud at your financial institution.

Recently we heard a tale from one of our customers with an interesting twist. At Guardian Analytics we are passionate about the concept of great security AND a great account holder experience.  The plot twist in this fraud story highlights how the right protections can create the right customer experience that builds trust and loyalty. And lack of the right protections creates, well, something very different.

The movie begins with one of our customers, Bank A, a mid-sized bank using FraudMAP that proactively detected suspicious activity in an account.  FraudMAP alerted the bank to unusual behavior before any sort of transaction was initiated.

Based on the suspicious behavior, the bank called the account holder to inquire about the activities.  The account holder confirmed that they had not logged in to their account at that time or from that location. He was thrilled that the bank was proactively looking out for his safety and was able to catch this before any money was moved.

Now for the twist: while they were on the phone discussing next steps, the account holder realized that if his account at Bank A had been compromised, it was likely his account at Bank B had been compromised as well.

He logs into his account at Bank B, a much larger national bank, and discovers that a very large wire transfer had been initiated through his account and released by the bank. He had to make “the call” that far too many banks receive – according to a survey done by ISMG – 76% of FIs find out about fraud from their customers.

One client, two banks. One happy ending, one nightmare.  The FFIEC got it right. In their new Guidance for online banking security, they call for all banks to have anomaly detection as the foundational component of their security strategy.  This account holder’s money was clearly safer in the bank with sophisticated anomaly detection looking for signs of suspicious activity before money leaves the bank.  Powerful protections and a great customer experience can and do co-exist.

Which movie would you star in? The fairy tale? Or the horror story?

With so much going on, we thought we’d use the blog to regularly summarize the hot news. Welcome to our first “Fraud Roundup”:

• New FFIEC Supplement and Clarifications from the Agencies

The FFIEC raised the bar on expectations for layered security, risk assessments and customer education. Following the Supplement’s release, there has been a lot of discussion on the topic of the guidance and layered security.

In recent presentations by the FDIC, OCC and the Federal Reserve Board, the Agencies make one thing very clear about the Supplement: all institutions are expected to have layered security; layered security at a minimum is defined by the capability to detect and respond to anomalous customer behavior at login and initiation of transaction. The Agencies further clarified this is expected for retail and commercial banking and that business accounts.

For more details, resources, and to track what key topics about the Supplement, please visit our FFIEC Resource site.

• New ACH Fraud Suit Filed, BankInfoSecurity.com

In March 2010, Village View Escrow of California had its online bank account infiltrated by hackers, suffering $465,000 in losses. The company now has filed a lawsuit in the California Superior Court against its bank. This is the latest in a stream of other recent commercial banking fraud lawsuits.

• FBI Investigating Online Banking Theft of $139,000 from Pittsford, NY, Krebs on Security

The fraud losses continue. The latest theft is the latest reminder that cybercriminals are effectively bypassing existing controls.

• More Fraud Losses – eThieves Steal $217k from Arena Firm, Krebs on Security

Cyber thieves stole $217,000 last month from the Metropolitan Entertainment & Convention Authority (MECA), a nonprofit organization responsible for operating the Qwest Center and other gathering places in Omaha, Nebraska.

• Spam Fraud Down, Targeted Phishing Attacks Up 400%, Bank Technology News

End users aren’t getting any relief. A Cisco study finds that cyber fraud has shifted from mass, generalized attacks to very specific spear phishing hits that harness stolen user information to dupe unwitting consumers (such as bank customers and cardholders) into divulging account information.

• SpyEye hacker toolkit to lead to surge in cyberattacks, USA Today

Security experts are expecting a surge in SpyEye attacks this year, after the license key to SpyEye, the top rival to the ZeuS banking Trojan, was exposed. Hackers started making versions of SpyEye available for $100 (down from $10,000), making the Trojan kit much more readily available to criminal gangs. More than 2.2M computers are estimated to be infected and under the control of SpyEye botnets.

• Mobile Malware on the Rise, McAfee

McAfee reports that the Android was the most popular target for malware developers in Q2 2011. Researchers highlight mobile crimeware on the Android that forwards SMS messages, a technique to thwart out of band authentication and verification.

The article pretty thoroughly covers the commercial account fraud ecosystem and the devastating results of fraud.  But while it nicely admires the problem, it fails to point out that there are solutions within the reach of every bank and credit union, and that many are equipping themselves to proactively stop these attacks.  And they are doing so successfully and affordably.

A rapidly growing number of national and community banks and credit unions are using FraudMAP, our anomaly detection and transaction monitoring solution, to identify account takeover and stop the very fraudulent wire and ACH transfers described in this article. These institutions consistently detect and stop fraud, spend less than an FTE to investigate high-risk accounts, and receive high praise from their account holders when they make a call to discuss suspicious activity. It took many of these institutions less then a week to deploy the solution on a wide variety of online banking platforms, and it costs them less then one average ACH or wire fraud.

As I discussed in my last blog post the FFIEC recently updated its guidance on Internet Banking security. They too agree that the threat has grown too great, criminals can defeat existing controls, and this is an issue banks must tackle. They are now expecting all institutions to have the capability to detect and respond to anomalous behavior.

We had an interesting call from one of our customers today that highlighted the difference between banks that are equipped to solve the problem and those that are not.  Our customer, lets call them Bank A, used FraudMAP to proactively detect an account compromise for one of their accounts. Our solution alerted Bank A to suspicious activity in the account and they quickly notified the account holder. This all happened before a fraudulent money transfer was even attempted.  While discussing the situation, the account holder mentioned that they had also an account at a different institution, Bank B, which is not a user of FraudMAP.  When the account holder checked their account at Bank B, they found an unauthorized wire transfer and a significant amount of $$$ missing from their account.

Bank B now is faced with 1) spending time to attempt claw back the money, 2) trying to explain why they were not able to stop a fraud that Bank A could and 3) a potential customer loss.  Customer churn is a common outcome of these attacks – our 2011 Business Banking Trust Study reports that 43 percent of SMBs take their banking business to another institution following a fraud attack. Despite the title of the article, nobody wins when a commercial account is raided.

This real-world scenario shows that with the right protections in place, money can be safe in the bank. And it can be safe at large banks, midsize banks and small banks.  Businesses don’t need to run to the large institutions, they should just work with banks that have the right security.

By this time next year, if institutions meet the updated layered security expectations set forth in the guidance, the story should be very different. Instead of focusing on the villains and victims, we’ll be hearing stories of the heroes who stopped the criminals in their tracks.  We’ll be hearing more stories of  ordinary institutions providing extraordinary fraud prevention.